Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Drop.Small.cbx.1
Date discovered:22/12/2005
Type:Trojan
Subtype:Dropper
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:60.091 Bytes
MD5 checksum:552d8f1e645a6a53ccd531d5731edf4b
VDF version:6.33.00.53

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: PWS-JA
   •  Kaspersky: Trojan-Spy.Win32.Small.dg
   •  Bitdefender: Trojan.Spy.Small.W


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Registry modification
   • Steals information

 Files  It deletes the following file:
   • %PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\tmp.tmp



The following files are created:

Non malicious file:
   • %TEMPDIR%\$_2341234.tmp

%TEMPDIR%\$_2341233.tmp This is a non malicious text file with the following content:
   • %stolen information%

%PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\ibm00001.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.Smal.dg.16.C

%PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\ibm00001.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.Smal.dg.16.D

%PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\ibm00002.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Drop.Sma.dg.16.C

 Registry The following registry key is added in order to run the process after reboot:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Shell"="%PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"



The following registry key is changed:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • "Shell"="explorer.exe"
   New value:
   • "Shell"="explorer.exe %empty spaces% %PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"

 Backdoor The following ports are opened:

explorer.exe on a random TCP port in order to provide an HTTP server.
explorer.exe on a random TCP port in order to provide a Socks 5 proxy server.


Contact server:
All of the following:
   • http://d**********team.com/gamma/x25.php
   • http://no**********bs.com/gamma/x25.php

As a result it may send some information. This is done via the HTTP POST method using a PHP script.


Sends information about:
     Cached passwords
     Created logfiles
     IP address
     Current malware status
     Opened port
     Collected information described in stealing section
     Information about the Windows operating system

 Stealing It tries to steal the following information:
 Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts

Passwords from the following programs:
   • Outlook
   • Eudora
   • AK-Mail
   • Thunderbird
   • The Bat
   • Flash FXP
   • Total commander
   • Far

A logging routine is started after a website is visited:
   • %any website that contains a login form%

 It captures:
     Window information
     Login information

 Injection –  It injects the following file into a process: %PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\ibm00001.dll

    Process name:
   • explorer.exe



–  It injects the following file into a process: %PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\ibm00002.dll

    Process name:
   • explorer.exe


 Miscellaneous Mutex:
It creates the following Mutex:
   • MSARCH_MUTEX_NAME

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Daniel Constantin on Tuesday, January 3, 2006
Description updated by Daniel Constantin on Tuesday, January 3, 2006

Back . . . .